115e9af8f531c863eb207c66e00f0ae4b6454cb6dc03059d30470bb1a0be69bf

Analysis

max time kernel
135s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
Size

1.1MB
MD5

1ef6455c70dbe43d9ce94000c70d7a0a
SHA1

a2cd013b7761cacf8e6c4035842cb637d0afe27b
SHA256

115e9af8f531c863eb207c66e00f0ae4b6454cb6dc03059d30470bb1a0be69bf
SHA512

74a273928152e7ef6711af5f0e4a89d7eb9a2d018d25798058c28e819603012908066719c268ef2525ce93611664900c9be3b9df5b77a0e8d8f4b703d0ab3744
SSDEEP

24576:mSi1SoCU5qJSr1eWPSCsP0MugC6eTQ8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:2S7PLjeTQgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
464	Process not Found
2920	alg.exe
2604	aspnet_state.exe
2380	mscorsvw.exe
2668	mscorsvw.exe
2436	mscorsvw.exe
1484	mscorsvw.exe
1976	ehRecvr.exe
2636	ehsched.exe
1440	elevation_service.exe
1492	IEEtwCollector.exe
2260	GROOVE.EXE
2960	dllhost.exe
432	maintenanceservice.exe
684	OSE.EXE
2996	OSPPSVC.EXE
2244	mscorsvw.exe
2280	mscorsvw.exe
524	mscorsvw.exe
2288	mscorsvw.exe
1316	mscorsvw.exe
2492	mscorsvw.exe
1016	mscorsvw.exe
2212	mscorsvw.exe
2296	mscorsvw.exe
1608	mscorsvw.exe
852	mscorsvw.exe
2060	mscorsvw.exe
1812	mscorsvw.exe
2912	mscorsvw.exe
1944	mscorsvw.exe
2540	mscorsvw.exe
1644	mscorsvw.exe
1196	mscorsvw.exe
1924	mscorsvw.exe
2644	mscorsvw.exe
2564	mscorsvw.exe
1724	mscorsvw.exe
1508	mscorsvw.exe
2752	mscorsvw.exe
2124	mscorsvw.exe
3060	msdtc.exe
1756	msiexec.exe
1624	perfhost.exe
1744	locator.exe
2016	snmptrap.exe
3036	vds.exe
1808	vssvc.exe
1008	wbengine.exe
2984	WmiApSrv.exe
2168	wmpnetwk.exe
2844	SearchIndexer.exe
1208	mscorsvw.exe
2636	mscorsvw.exe
1940	mscorsvw.exe
1704	mscorsvw.exe
2808	mscorsvw.exe
564	mscorsvw.exe
2976	mscorsvw.exe
2628	mscorsvw.exe
2948	mscorsvw.exe
2536	mscorsvw.exe
1372	mscorsvw.exe
2348	mscorsvw.exe

Loads dropped DLL 51 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1756	msiexec.exe
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
728	Process not Found
2808	mscorsvw.exe
2808	mscorsvw.exe
2976	mscorsvw.exe
2976	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
1372	mscorsvw.exe
1372	mscorsvw.exe
2884	mscorsvw.exe
2884	mscorsvw.exe
2044	mscorsvw.exe
2044	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
1448	mscorsvw.exe
1448	mscorsvw.exe
1992	mscorsvw.exe
1992	mscorsvw.exe
956	mscorsvw.exe
956	mscorsvw.exe
2948	mscorsvw.exe
2948	mscorsvw.exe
2636	mscorsvw.exe
2636	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe
1568	mscorsvw.exe
1568	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
2236	mscorsvw.exe
2236	mscorsvw.exe
2876	mscorsvw.exe
2876	mscorsvw.exe
2820	mscorsvw.exe
2820	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5519f9eaae4ef42b.bin	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	mscorsvw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7A5E.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7291.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{714A7748-E375-4727-BB4E-E7BD004D674B}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7C61.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP78C8.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-601 = "View reports from transfers you've performed"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000000008b1e6b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1216	ehRec.exe
1440	elevation_service.exe
1440	elevation_service.exe
1440	elevation_service.exe
1440	elevation_service.exe
1440	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2872	2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: 33	784	EhTray.exe
Token: SeIncBasePriorityPrivilege	784	EhTray.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeDebugPrivilege	1216	ehRec.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: 33	784	EhTray.exe
Token: SeIncBasePriorityPrivilege	784	EhTray.exe
Token: SeDebugPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1440	elevation_service.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeSecurityPrivilege	1756	msiexec.exe
Token: SeBackupPrivilege	1808	vssvc.exe
Token: SeRestorePrivilege	1808	vssvc.exe
Token: SeAuditPrivilege	1808	vssvc.exe
Token: SeBackupPrivilege	1008	wbengine.exe
Token: SeRestorePrivilege	1008	wbengine.exe
Token: SeSecurityPrivilege	1008	wbengine.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeDebugPrivilege	1440	elevation_service.exe
Token: SeManageVolumePrivilege	2844	SearchIndexer.exe
Token: 33	2844	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2844	SearchIndexer.exe
Token: 33	2168	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2168	wmpnetwk.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe
Token: SeShutdownPrivilege	2436	mscorsvw.exe
Token: SeShutdownPrivilege	1484	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
784	EhTray.exe
784	EhTray.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
784	EhTray.exe
784	EhTray.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2632	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe
2508	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2244	2436	mscorsvw.exe	45
PID 2436 wrote to memory of 2244	2436	mscorsvw.exe	45
PID 2436 wrote to memory of 2244	2436	mscorsvw.exe	45
PID 2436 wrote to memory of 2244	2436	mscorsvw.exe	45
PID 2436 wrote to memory of 2280	2436	mscorsvw.exe	46
PID 2436 wrote to memory of 2280	2436	mscorsvw.exe	46
PID 2436 wrote to memory of 2280	2436	mscorsvw.exe	46
PID 2436 wrote to memory of 2280	2436	mscorsvw.exe	46
PID 2436 wrote to memory of 524	2436	mscorsvw.exe	49
PID 2436 wrote to memory of 524	2436	mscorsvw.exe	49
PID 2436 wrote to memory of 524	2436	mscorsvw.exe	49
PID 2436 wrote to memory of 524	2436	mscorsvw.exe	49
PID 2436 wrote to memory of 2288	2436	mscorsvw.exe	50
PID 2436 wrote to memory of 2288	2436	mscorsvw.exe	50
PID 2436 wrote to memory of 2288	2436	mscorsvw.exe	50
PID 2436 wrote to memory of 2288	2436	mscorsvw.exe	50
PID 2436 wrote to memory of 1316	2436	mscorsvw.exe	51
PID 2436 wrote to memory of 1316	2436	mscorsvw.exe	51
PID 2436 wrote to memory of 1316	2436	mscorsvw.exe	51
PID 2436 wrote to memory of 1316	2436	mscorsvw.exe	51
PID 2436 wrote to memory of 2492	2436	mscorsvw.exe	52
PID 2436 wrote to memory of 2492	2436	mscorsvw.exe	52
PID 2436 wrote to memory of 2492	2436	mscorsvw.exe	52
PID 2436 wrote to memory of 2492	2436	mscorsvw.exe	52
PID 2436 wrote to memory of 1016	2436	mscorsvw.exe	53
PID 2436 wrote to memory of 1016	2436	mscorsvw.exe	53
PID 2436 wrote to memory of 1016	2436	mscorsvw.exe	53
PID 2436 wrote to memory of 1016	2436	mscorsvw.exe	53
PID 2436 wrote to memory of 2212	2436	mscorsvw.exe	54
PID 2436 wrote to memory of 2212	2436	mscorsvw.exe	54
PID 2436 wrote to memory of 2212	2436	mscorsvw.exe	54
PID 2436 wrote to memory of 2212	2436	mscorsvw.exe	54
PID 2436 wrote to memory of 2296	2436	mscorsvw.exe	55
PID 2436 wrote to memory of 2296	2436	mscorsvw.exe	55
PID 2436 wrote to memory of 2296	2436	mscorsvw.exe	55
PID 2436 wrote to memory of 2296	2436	mscorsvw.exe	55
PID 2436 wrote to memory of 1608	2436	mscorsvw.exe	56
PID 2436 wrote to memory of 1608	2436	mscorsvw.exe	56
PID 2436 wrote to memory of 1608	2436	mscorsvw.exe	56
PID 2436 wrote to memory of 1608	2436	mscorsvw.exe	56
PID 2436 wrote to memory of 852	2436	mscorsvw.exe	57
PID 2436 wrote to memory of 852	2436	mscorsvw.exe	57
PID 2436 wrote to memory of 852	2436	mscorsvw.exe	57
PID 2436 wrote to memory of 852	2436	mscorsvw.exe	57
PID 2436 wrote to memory of 2060	2436	mscorsvw.exe	58
PID 2436 wrote to memory of 2060	2436	mscorsvw.exe	58
PID 2436 wrote to memory of 2060	2436	mscorsvw.exe	58
PID 2436 wrote to memory of 2060	2436	mscorsvw.exe	58
PID 2436 wrote to memory of 1812	2436	mscorsvw.exe	59
PID 2436 wrote to memory of 1812	2436	mscorsvw.exe	59
PID 2436 wrote to memory of 1812	2436	mscorsvw.exe	59
PID 2436 wrote to memory of 1812	2436	mscorsvw.exe	59
PID 2436 wrote to memory of 2912	2436	mscorsvw.exe	60
PID 2436 wrote to memory of 2912	2436	mscorsvw.exe	60
PID 2436 wrote to memory of 2912	2436	mscorsvw.exe	60
PID 2436 wrote to memory of 2912	2436	mscorsvw.exe	60
PID 2436 wrote to memory of 1944	2436	mscorsvw.exe	61
PID 2436 wrote to memory of 1944	2436	mscorsvw.exe	61
PID 2436 wrote to memory of 1944	2436	mscorsvw.exe	61
PID 2436 wrote to memory of 1944	2436	mscorsvw.exe	61
PID 2436 wrote to memory of 2540	2436	mscorsvw.exe	62
PID 2436 wrote to memory of 2540	2436	mscorsvw.exe	62
PID 2436 wrote to memory of 2540	2436	mscorsvw.exe	62
PID 2436 wrote to memory of 2540	2436	mscorsvw.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_1ef6455c70dbe43d9ce94000c70d7a0a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2380

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2fc -NGENProcess 284 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 278 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 30c -NGENProcess 294 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 314 -NGENProcess 304 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 290 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2ec -NGENProcess 30c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 328 -NGENProcess 2ec -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 318 -NGENProcess 30c -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 308 -NGENProcess 330 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 288 -NGENProcess 2b0 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 36c -NGENProcess 300 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 35c -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 370 -NGENProcess 36c -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 378 -NGENProcess 35c -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 32c -NGENProcess 358 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 36c -NGENProcess 378 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 300 -NGENProcess 38c -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 384 -NGENProcess 378 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 390 -NGENProcess 36c -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 38c -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 39c -NGENProcess 378 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 374 -NGENProcess 35c -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 2f0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 2f8 -NGENProcess 398 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 3b0 -NGENProcess 374 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 3bc -NGENProcess 35c -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 35c -NGENProcess 388 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3bc -NGENProcess 3a8 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 374 -NGENProcess 3cc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3b4 -NGENProcess 3a8 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3d4 -NGENProcess 3a8 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3f4 -NGENProcess 3d0 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3f8 -NGENProcess 3d4 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3cc -NGENProcess 238 -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 408 -NGENProcess 3d0 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 3f8 -NGENProcess 418 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 418 -NGENProcess 3cc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 41c -NGENProcess 408 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3f8 -NGENProcess 424 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 424 -NGENProcess 3a8 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 3a8 -NGENProcess 410 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 430 -NGENProcess 3cc -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 3cc -NGENProcess 424 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 434 -NGENProcess 410 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 410 -NGENProcess 430 -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 420 -NGENProcess 3f8 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 3f8 -NGENProcess 424 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 424 -NGENProcess 414 -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 414 -NGENProcess 41c -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 454 -NGENProcess 44c -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 440 -NGENProcess 238 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 460 -NGENProcess 458 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 458 -NGENProcess 448 -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 468 -NGENProcess 238 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 460 -NGENProcess 46c -Pipe 468 -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 478 -NGENProcess 448 -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 480 -NGENProcess 460 -Pipe 484 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 46c -NGENProcess 3cc -Pipe 478 -Comment "NGen Worker Process"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 46c -InterruptEvent 444 -NGENProcess 448 -Pipe 460 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 488 -NGENProcess 448 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 450 -NGENProcess 464 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 494 -InterruptEvent 49c -NGENProcess 4a0 -Pipe 488 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a4 -InterruptEvent 448 -NGENProcess 4a0 -Pipe 48c -Comment "NGen Worker Process"
  2⤵
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 4b0 -NGENProcess 23c -Pipe 4ac -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 4b4 -NGENProcess 498 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4c0 -NGENProcess 49c -Pipe 4bc -Comment "NGen Worker Process"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4b8 -NGENProcess 464 -Pipe 4a0 -Comment "NGen Worker Process"
  2⤵
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4c4 -NGENProcess 4a8 -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4c8 -NGENProcess 49c -Pipe 4bc -Comment "NGen Worker Process"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 49c -InterruptEvent 464 -NGENProcess 4c4 -Pipe 4c8 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d4 -InterruptEvent 4dc -NGENProcess 4c4 -Pipe 498 -Comment "NGen Worker Process"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4dc -InterruptEvent 4e4 -NGENProcess 4b4 -Pipe 4e0 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4e8 -NGENProcess 46c -Pipe 4dc -Comment "NGen Worker Process"
  2⤵
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f0 -InterruptEvent 4e8 -NGENProcess 4b4 -Pipe 4d0 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4f8 -InterruptEvent 4b8 -NGENProcess 4fc -Pipe 4f0 -Comment "NGen Worker Process"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 4ec -NGENProcess 4b4 -Pipe 4a4 -Comment "NGen Worker Process"
  2⤵
  PID:820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 500 -NGENProcess 4f8 -Pipe 46c -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 4c0 -NGENProcess 4b4 -Pipe 4f4 -Comment "NGen Worker Process"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 4b4 -NGENProcess 4e8 -Pipe 50c -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b4 -InterruptEvent 4b8 -NGENProcess 508 -Pipe 510 -Comment "NGen Worker Process"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4b8 -InterruptEvent 504 -NGENProcess 4c4 -Pipe 4fc -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 504 -InterruptEvent 514 -NGENProcess 4e8 -Pipe 4f8 -Comment "NGen Worker Process"
  2⤵
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 518 -InterruptEvent 4cc -NGENProcess 4d4 -Pipe 4b8 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c4 -InterruptEvent 4cc -NGENProcess 518 -Pipe 504 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4e8 -InterruptEvent 4d8 -NGENProcess 500 -Pipe 4c4 -Comment "NGen Worker Process"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4d8 -InterruptEvent 4ec -NGENProcess 518 -Pipe 514 -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4ec -InterruptEvent 4c0 -NGENProcess 4cc -Pipe 508 -Comment "NGen Worker Process"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 4c0 -NGENProcess 124 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4cc -InterruptEvent 4c0 -NGENProcess 208 -Pipe 4e8 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 124 -InterruptEvent 4c0 -NGENProcess 4d8 -Pipe 520 -Comment "NGen Worker Process"
  2⤵
  PID:1548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 500 -NGENProcess 208 -Pipe 51c -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 530 -NGENProcess 4cc -Pipe 52c -Comment "NGen Worker Process"
  2⤵
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 124 -InterruptEvent 528 -NGENProcess 530 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 124 -InterruptEvent 4d4 -NGENProcess 464 -Pipe 518 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 53c -InterruptEvent 4c0 -NGENProcess 538 -Pipe 124 -Comment "NGen Worker Process"
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 500 -NGENProcess 464 -Pipe 530 -Comment "NGen Worker Process"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 500 -InterruptEvent 548 -NGENProcess 4d4 -Pipe 524 -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 54c -NGENProcess 4c0 -Pipe 53c -Comment "NGen Worker Process"
  2⤵
  PID:472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 4c0 -NGENProcess 538 -Pipe 4d4 -Comment "NGen Worker Process"
  2⤵
  PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 550 -InterruptEvent 538 -NGENProcess 4d8 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4c0 -InterruptEvent 564 -NGENProcess 500 -Pipe 4d8 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 570 -InterruptEvent 55c -NGENProcess 4c0 -Pipe 574 -Comment "NGen Worker Process"
  2⤵
  PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 54c -InterruptEvent 548 -NGENProcess 4c0 -Pipe 55c -Comment "NGen Worker Process"
  2⤵
  PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 548 -InterruptEvent 588 -NGENProcess 564 -Pipe 584 -Comment "NGen Worker Process"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 588 -InterruptEvent 58c -NGENProcess 578 -Pipe 580 -Comment "NGen Worker Process"
  2⤵
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 578 -InterruptEvent 57c -NGENProcess 54c -Pipe 590 -Comment "NGen Worker Process"
  2⤵
  PID:1372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1dc -NGENProcess 1e4 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1976

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:432

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:684

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2844
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
  2⤵
  - Modifies data under HKEY_USERS
  PID:1556
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
eaa66bcab94f146ef5ec3e314ef4c87e

SHA1
7b7a43fbf2f2ea0b87925c7c43c8fa96704ad318

SHA256
6b36a6c65afdeec4eaede67d74a96f2828dbbe6665a24c0b320302977056900c

SHA512
a894a993d7860f621082eedb09640bf13ab0e1724b67920a684e3339d92217f001545148d4bde1c5884808df5d63dcf9cb7e93726fdd813cdada6cb3dbf0bc25

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
2f3d23c76df4287ee3b06b4e5f45c313

SHA1
c2caf9508f006d2fb4eef93ec5708ece7c41d5f9

SHA256
722834ec9b458b0654df441b64845b6baa7efbd4f0dcac599b81eabe36d3e7cf

SHA512
ca2c91d7863b688a3a3c4e484175bd5cc8cd00a8bb70adc39f104ab02ed811c9ce7afc3b53bcc390b8f0328836fb0eea9d28db14c31c68b70a72684e548fdd30

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
773a39f0517d9685e429a22b51c5f90f

SHA1
820e269e971d71e176fb021f29db8a75f30e50f7

SHA256
d15abbab1741defb6e2eb07219e00565ec37360378e47f322b7315c499f696db

SHA512
c56dc2017b577a2fe2020f9f3475da05c57652b520670d723691463e9b6eacbeb830f795861d3856b441c25e0ea65b5a9b35a51259213d4d2246f7d3c1485e68

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
6159b31cefd59e7ad071cb626f18a647

SHA1
83339dac5ce8c1986830971a1c564b603390099f

SHA256
f69f7f29d4d4bbd077fd67f72c3440981f2ebb3e7bdb6234b8eefdebbbacc1e5

SHA512
3ac579ac5643e57e8dbf07a98bfde6502e91604306c72aa766fe191f91cc1530d14447e2f800d3ad6fc533a3102ba519ed47f509266864ab454c7ec89c9dd197

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b8d70b5976dd6e91b23a92eb68c9c127

SHA1
89162578c13b14d8630cdc15519cc74c3b1a1078

SHA256
3cd498d06d291b527da7179e1d4a227d558cb8d9988a819627825f4277fd9102

SHA512
0028bf588a6dfaf0f8e0a42d7839b15a21ff7191b7fac9a7b16ff7a5b0695ebeb6dcc0518457c22a8a15df8a864e1dd84b1dac5ae2b9776a4febaff2544ea13f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e4e8bd22f7cb41cb482ed6d096f5454a

SHA1
fd9e9fbb155380f3cebd918891f934e7e2b9939f

SHA256
4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7

SHA512
a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
b333b228b5665a61f4a7f6c07857bbdf

SHA1
3e7ad7cbfba303ee86e8ed67d9af92e832783d46

SHA256
ae5a900167126eec02018395e74fda836abb90e1da83d919cb33cb6ddd5b9260

SHA512
9dda4513576f93a6b20738518348d9970b0610bdb7b30acb492486b51f9f92c203ae0fb04f2a4abb56794357e74898cc841bdd4c3d1bc077a1050eba3631b6a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
27c6b02e2f8432dd4bf13a6ee149ca36

SHA1
e91c9ae316e8ed0b5a042c0ad06435eb7fe94d73

SHA256
e380a8e7d289b84b31c204ae549b7b10a5287d0d68d409e3d1bd9ee899da37f1

SHA512
5818dcfe75a8180d0d23b003d994434af6994f95b000785fc086c9d6ca9ac36e923dae75a069a1cd339751fd878038f91d6e2fa481b5f7f05a6c9ccec1fe6ccb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
1c9df9814b9e75d9118bfaaa672e5856

SHA1
5cb5358ebf3d3cd58b87e30b7bf9cc2b6c141c32

SHA256
2b96b6aa28de99aa236d54bcbd71d836b42f0199f1fd3c9b3ff78a49be395411

SHA512
7bc9f338846a8c7148e3a8f1181e1b5c9431baea857707013cbbfd42f8d4e67d250414a4fdae03b4fde16ca0ed6cad28d9b1db4ced7e3c932ff6c5d71a44a60c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
6eb104e2e58f1b42f14aacd7b109f032

SHA1
f3af252c8cb797ff10deb582dfb2abd8f6873f0b

SHA256
91032bd5d4f6f9006bdd4219c3d05462b6221299642878e0c7db85e066d55a1b

SHA512
899e5471299c34cf6d3f8b88108300766ea587c03f2151510e5f99de709fc88906f9b1424fc73824b9cd657284b1baf2450c7bd4263ab3909c716388a25939fe

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
cd3607a12823296d8e72671ed79ff31a

SHA1
79d2055dadf1afeff273d7d50bcb373d1148f50b

SHA256
f90d713570fe4207fc33ef579b4551cf3665c283a84ec5124bf872bec6106ff1

SHA512
7297af607689e85af728d05a05d9ecef5d8bdb4d023c2da48c0965072d0b48f1ad08dad66be3f06ce2c52b672d442d56762a1eb2f54023c087dc7016b0527352

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
634c67158ae57cba82926b573597a1db

SHA1
bac66ebabca467fb47514134fc69948b00ea9cf2

SHA256
13a79be10be03089c0769b744deabd941a07f979dcb975cdff7df2ef6a350ddd

SHA512
2eefc18f8b5108b2a98bdd0473c6f75b190655b9650fa3d94ce4f9d6fff12317be04be8f141fee9584aba2c0275db2fc4eb0ba9329b20a5861ed532f472876e0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
f2debb054ef0ecf3e403a696360d7442

SHA1
dfffd4c65bfe633af6badaed78a615f05ad51d8e

SHA256
9de301438fb264e38106f9ee2fd96ed33236c9e3934761b1b0326aa97c13524d

SHA512
d8b1e3e1e338b269c65f1bfa0a2962b35a0848fbd1aad1a509b2f7f9e902b3fe8ffd3ea61096f0c0221222525fe295f3057306dcfa89c72533f18d31a58b0ab7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
2ef1c8ed9d62cf7ac123f6029b00af7e

SHA1
fb7d1dd0bb89d850826780aaa9615a66a50e7d07

SHA256
12f4e4144154dac7ff391bce1aa7b98fd9de33b1d8526d6fcf3bed913483ad71

SHA512
53cc56d55f51e136a5b2f729ff612e331764456f5a83ddb7e818f0379fcbdc5af524368dfeec0cd6b128bbce63945d47acddbbd066e272c2076054bf4947a5e0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
ed838df410fd3aa8d2d8cbcdcdb84475

SHA1
0aa16ae2fcf00ea2d41e4f665393c45177e6fc04

SHA256
372c15071ba42ba8010e3d1a2133972f14b2c9e4875a3ab29d15d486c52069bf

SHA512
5f1f8bf840b5c7323e5ca1044f1347ee211f2165929316e1b716dad5c276713fefee7e6a7aa9c11a4e8e2ecd210c997ce3dba4a57c85faa88d5ee7efa0da59e2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
8d14249924daec33a29c0ea5d0f713d4

SHA1
473e0cc017c4c91cdce6ede80e2ca2c74bcffc5c

SHA256
51bdfa591d9712bc0bc0c6f2403c0ae259ecf05f411954ef720d62d8aa65a07c

SHA512
01f777cfe08921d37332981bf576c0022d74907851102cad25a9b7c2cca2c96c9bda112d990a3c02237e7ba825497270c225139e525b4b8024b1dad86b2d2e0b

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
1.4MB

MD5
9637386867e72c18e1db6f5a1437f379

SHA1
941dfd7feca600ac07f692eed8afbbd8550d8b94

SHA256
81cd89954e582794e13a35e3f76892490e55a51101ae1ef5049b20ec197ed82c

SHA512
e0acc0320dd9f432c947d09f51f34e4545896669bd513771e33075b31ad482b47e11116c04ebe9043eb1c9deac51bb9373c574ecd267042a0d81ec94a84a572d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

Filesize
834KB

MD5
c76656b09bb7df6bd2ac1a6177a0027c

SHA1
0c296994a249e8649b19be84dce27c9ddafef3e0

SHA256
a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0

SHA512
8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

Filesize
797KB

MD5
aeb0b6e6c5d32d1ada231285ff2ae881

SHA1
1f04a1c059503896336406aed1dc93340e90b742

SHA256
4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263

SHA512
e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

Filesize
163KB

MD5
e88828b5a35063aa16c68ffb8322215d

SHA1
8225660ba3a9f528cf6ac32038ae3e0ec98d2331

SHA256
99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142

SHA512
e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

Filesize
1.3MB

MD5
006498313e139299a5383f0892c954b9

SHA1
7b3aa10930da9f29272154e2674b86876957ce3a

SHA256
489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c

SHA512
6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\17944df39d49a886133d0dcafc53abdb\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
63da171f239ad541e5b951446596cd51

SHA1
ae85e067666bae1a3ad257c2381d4da18f9c9706

SHA256
48b14982755e4dd96ce50be0b3b8ef6e40314e9881f07f645f561af9fae8dc60

SHA512
72176cef8f1be757b6642f29dc049c2c5dc429febeda99f159dac99f34d9dd25be157bab7227be2da41fbad6301263326b4fbd33027e14f1c43b6e5b85f3f7fa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\d4bc5fcba78f0059cb4555cdefa7afe7\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
3143e40ce991277bd2509706e2a9d67b

SHA1
afbd204834eca5f6b4f3c82cd3c02a3298f9a635

SHA256
ce9e89fd668d638385682dee9578c96f3a3daa23258b82244d993fc1b0a241fa

SHA512
e7f7199a2cba232276d259d7d791cdc763e6aee5b920d43e2a8a91a3d50f15ea904d62871c5763e747b212067ea67910347dc82c37aae6bb6da297c094756cb7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
f786ebe6116b55d4dc62a63dfede2ca6

SHA1
ab82f3b24229cf9ad31484b3811cdb84d5e916e9

SHA256
9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12

SHA512
80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fdf1ca2ea3edccc26f14e09c65d7d1df\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
8f6557751ef3211a1ebf9c944555385b

SHA1
e42928db780a9d3eaa7bb9ab9daf41571c46e7b6

SHA256
25589cf33d28e42610416b398914049949a070d793779e7ea0367c8276bd3b76

SHA512
48905dc01594effc885fbb9aabd2f194b4f729f960ab5f45f7933e5c8c12c59869f7401079da4c71d7ac2a4b797c2d512adbeeb0a2e494498e14d334d6460480

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
ce5bb4684f3c578af59411dd6b6f059b

SHA1
f82d1440e2191b356cce5969c0c757cff34e1b2d

SHA256
c9b3eed1780087763bdde941f398cdfee4d8a2343546cd5363d68f15cda6cc14

SHA512
aaa45b1478782893a0a76458da87e4d1cfc1bc2739e9d996dcac906bf78cbd4e57890c523a77be631718c7c91962d04ed690686ef6da4915f61017c55330cebc

Download Submit
\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7a7dcebb57a5019f82933096678a30c3

SHA1
bae736e924ccb11514a43cec555aef081111aa43

SHA256
f2def45d063bdace22c43efaffaba4168052987e6b72979d53066dce092f1fcf

SHA512
2374dfa874873525dc41ab01f97d875499179a69c20b01e138ff703f4627a717ba17afb9c007ce7b0d6f0efa059bff8d70c3ebb2df2fb7020bc5f6252cf0b1d2

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.5MB

MD5
a06e1792979802a6aade4238aa89035c

SHA1
6963f7c07b8b1afc12680676c7f6f41409e48c7e

SHA256
4fb78525f962fce9c0a76de1d54cc3dd5861c886239db86afa50a3a0ce937db8

SHA512
5e08ea09d4a11911cc987879786b0cdb2071e42f3c816a2f381c128e2678cfebd166ffd70632a6143fe09eb2a15a3eddd8be525c799d272167d75552f30671a5

Download Submit
\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ed9dd1e1f5dff93f5c75eddf2fa1f267

SHA1
0703db7bb15f9cbcd889a9150d0f9056f899fec6

SHA256
18ef2fd5f5814b4ddce6c0e0b95bd0002be0f8d6383f01325f927d626d1883bd

SHA512
088d053cb1b72ce9b63b62b57fb2d086c0eb521e18d005e8ebcd6ddb060100c7c549fc1ab6fcf352415736b4c404a665fb8ad1de18e17eb93fc55f8dac0cad16

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.5MB

MD5
446bbadd917efb9c254e486d07ddf630

SHA1
b2c040d77f9d9ca99cb62bfef57e0f58969cd66d

SHA256
073ff741841a1ecf6d4a82fb83a4bc7e90500a7a7a59d5fe4e2998d16fd7b313

SHA512
b1e0cf38ce46c4143bb845643c170920f2cc12e8ed0172ee66d91e46f19edc41b2f57e261ed7c2e2f57622f3982768ca420c61b69a1c13d4325e7aa77d004573

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2aa921190e7df856e41821af099bb1f9

SHA1
9c77781fbc3e97bd45309f0475949e92ba68987f

SHA256
9025a52697a92e68b98d94bfa27cb2f86b8b65a8209c1f172746e3f3aaa926ca

SHA512
c314be3218184b83b9db953912c0eaf429b5c40430d4543c090a2e930e5c067dc360f764396b87c021f69e7d551f6bbef80fb6bec77cb6d45082cdf20be29028

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
4ae898f150c99d3e871e7dcd7663fa1c

SHA1
ddeadf45e09db30112b4b9ad176742ca29ce2d3c

SHA256
4a1860865b6670fc2eef48654c6fd56558944fd1dca877308ae36dbbb3543688

SHA512
153f032fa6ab3bded63c99dfa97d8b1a0dea7764625c08ca27928a951cc3aaf7454b9b15a405ce87e9aacf9f4ede0e5d518c45996a6b9e6090a55b42ba4f5c3e

Download Submit
memory/432-128-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/432-139-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/432-146-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/432-145-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/432-134-0x0000000000FA0000-0x0000000001000000-memory.dmp

Filesize
384KB

Download
memory/524-357-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/524-326-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/684-412-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/684-143-0x000000002E000000-0x000000002E195000-memory.dmp

Filesize
1.6MB

Download
memory/852-453-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/852-465-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1016-414-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1016-395-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1196-540-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1196-535-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1316-371-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1316-388-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1440-276-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1440-91-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1440-99-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1440-97-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1484-55-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-103-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-325-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-514-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/1508-595-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1608-444-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1608-431-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1644-529-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1724-592-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1756-642-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/1756-644-0x00000000005E0000-0x0000000000772000-memory.dmp

Filesize
1.6MB

Download
memory/1756-892-0x00000000005E0000-0x0000000000772000-memory.dmp

Filesize
1.6MB

Download
memory/1756-822-0x0000000100000000-0x0000000100192000-memory.dmp

Filesize
1.6MB

Download
memory/1812-480-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1924-559-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1944-499-0x0000000003CC0000-0x0000000003D7A000-memory.dmp

Filesize
744KB

Download
memory/1944-503-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1976-168-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1976-627-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1976-64-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1976-65-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1976-71-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1976-86-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1976-88-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2060-463-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2060-476-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2124-618-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-623-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2212-410-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2212-427-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2244-283-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2244-170-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2260-106-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/2260-112-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/2260-118-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2260-358-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2280-280-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2280-329-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2288-359-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2288-362-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2296-425-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2296-437-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2380-20-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2380-37-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2436-790-0x0000000001BC0000-0x0000000001BD0000-memory.dmp

Filesize
64KB

Download
memory/2436-788-0x0000000002330000-0x00000000024CE000-memory.dmp

Filesize
1.6MB

Download
memory/2436-142-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2436-47-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2436-795-0x0000000001F20000-0x0000000001F86000-memory.dmp

Filesize
408KB

Download
memory/2436-794-0x0000000001BC0000-0x0000000001BEA000-memory.dmp

Filesize
168KB

Download
memory/2436-793-0x0000000001BC0000-0x0000000001BC8000-memory.dmp

Filesize
32KB

Download
memory/2436-792-0x0000000001BC0000-0x0000000001BE4000-memory.dmp

Filesize
144KB

Download
memory/2436-40-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2436-41-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/2436-783-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2436-784-0x0000000001BC0000-0x0000000001BDE000-memory.dmp

Filesize
120KB

Download
memory/2436-785-0x0000000001BC0000-0x0000000001BDA000-memory.dmp

Filesize
104KB

Download
memory/2436-786-0x0000000001F20000-0x0000000001FAC000-memory.dmp

Filesize
560KB

Download
memory/2436-787-0x0000000001F20000-0x0000000001FC4000-memory.dmp

Filesize
656KB

Download
memory/2436-791-0x0000000001F20000-0x0000000001FA8000-memory.dmp

Filesize
544KB

Download
memory/2436-789-0x00000000021D0000-0x00000000022BC000-memory.dmp

Filesize
944KB

Download
memory/2492-400-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2492-384-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2540-525-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2540-504-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2564-574-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2604-120-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2604-17-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2636-374-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2636-82-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2636-249-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2636-84-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2636-76-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/2644-570-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2668-50-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2668-29-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2752-620-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-605-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2872-7-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2872-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2872-117-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2872-90-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2872-116-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2872-1-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/2912-498-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2920-13-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2920-111-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2960-123-0x0000000100000000-0x0000000100175000-memory.dmp

Filesize
1.5MB

Download
memory/2996-149-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2996-155-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2996-423-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/3060-637-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/3060-796-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download